Security Hacks

1534 Articles

This Week In Security: Lastpass Takeaway, Bitcoin Loss, And PyTorch

January 6, 2023 by 10 Comments

We mentioned the LastPass story in closing a couple weeks ago, but details were still a bit scarce. The hope was that LastPass would release more transparent information about what happened, and how many accounts were accessed. Unfortunately it looks like the December 22nd news release is all we’re going to get. For LastPass users, it’s time to make some decisions.

To recap, an attacker used information from the August 2022 breach to target a LastPass Employee with a social engineering ploy. This succeeded, and the attacker managed to access LastPass backups, specifically a customer account database and customer vaults. There has been no official word of how many users’ data were included, but the indication is that it was the entire dataset. And to make matters worse, the encrypted vault is only partially encrypted. Saved URLs were exposed as plain-text to the attacker, though usernames and passwords are still encrypted using your master password.

So what should a LastPass user do now? It depends. We can assume that whoever has the LastPass vault data is currently throwing every password list available at it. If you used a weak password — derived from words in any language or previously compromised — then it’s time to change all of your passwords that were in the vault. They are burned. Continue reading “This Week In Security: Lastpass Takeaway, Bitcoin Loss, And PyTorch”

The Surprisingly Simple Way To Steal Cryptocurrency

January 6, 2023 by 78 Comments

In the news a few days ago, the revelation that Luke Dashjr, a core Bitcoin developer, had his wallet compromised, and lost 200 BTC. A small fortune, and something of a shock. I’m guessing that someone with that expertise would not have left his private key lying around, so as a cryptocurrency non-enthusiast I’m left curious as to how the attackers might have done it. So I phoned a few friends who do walk those paths for an explanation, and the result was a fascinating conversation or two. The most probable answer is still that someone broke into his computer and copied the keys — straight-up computer theft. But there’s another possible avenue that doesn’t involve stealing anything, and is surprisingly simple. Continue reading “The Surprisingly Simple Way To Steal Cryptocurrency”

The Problem With Passwords

January 3, 2023 by 129 Comments

By now it’s probable that most readers will have heard about LastPass’s “Security Incident“, in which users’ password vaults were lifted from their servers. We’re told that the vaults are encrypted such that they’re of little use to anyone without futuristic computing power and a lot of time, but the damage is still done and I for one am glad that I wasn’t a subscriber to their service. But perhaps the debacle serves a very good purpose for all of us, in that it affords a much-needed opportunity for a look at the way we do passwords. Continue reading “The Problem With Passwords”

This Week In Security: Adblock For Security, ProxyNotShell Lives, And CVSS 10 To Not Worry About

December 30, 2022 by 14 Comments

The ubiquity of ransomware continues, this time with The Guardian announcing they were partially shut down from an attack. Staff are working from home as the incident is being investigated and data is recovered. Publishing seems to be continuing, and the print paper ran as expected.

There have been a couple reports published recently on how ransomware and other malware is distributed, the first being a public service announcement from the FBI, detailing what might be a blindly obvious attack vector — search engine advertising. A bad actor picks a company or common search term, pays for placement on a search engine, and then builds a fake web site that looks legitimate. For bonus points, this uses a typosquatted domain, like adobe[dot]cm or a punycode domain that looks even closer to the real thing.

The FBI has a trio of recommendations, one of which I whole-heartedly agree with. Their first suggestion is to inspect links before clicking them, which is great, except for the punycode attack. In fact, there are enough lookalike glyphs to make this essentially useless. Second is to type in URLs directly rather than using a search engine to find a company’s site. This is great so long as you know the URL and don’t make a typo. But honestly, haven’t we all accidentally ended up at website[dot]co by doing this? Their last recommendation is the good one, and that is to run a high-quality ad-blocker for security. Just remember to selectively disable blocking for websites you want to support. (Like Hackaday!) Continue reading “This Week In Security: Adblock For Security, ProxyNotShell Lives, And CVSS 10 To Not Worry About”

A beige keyboard with blue and grey keys sits on a colorful deskmat atop a wooden desk. A small box with a round Touch ID button sits next to the keyboard.

Standalone Touch ID For Your Desktop Mac

December 26, 2022 by 1 Comment

With the proliferation of biometric access to mobile devices, entering a password on your desktop can feel so passé. [Snazzy Labs] decided to fix this problem for his Mac by liberating the Touch ID from a new Apple keyboard.

When Apple introduced its own silicon for its desktops, it also revealed desktop keyboards that included their Touch ID fingerprint reader system. Fingerprint access to your computer is handy, but not everyone is a fan of the typing experience on Apple keyboards. Wanting to avoid taping a keyboard under his desk, [Snazzy Labs] pulled the logic board from the keyboard and designed a new 3D printed enclosure for the Touch ID button and logic board so that the fingerprint reader could reside close to where the users hands actually are.

One interesting detail discovered was the significantly different logic boards between the standard and numpad-containing variants. The final enclosure designs feature both wireless and wired versions for both the standard and numpad logic boards if you should choose to build one of your own. We’re interested to see if someone can take this the next step and use the logic board to wire up a custom mechanical keyboard with Touch ID.

If [Snazzy Labs] seems familiar, you may recognize him from their Mac Mini Mini. If you’re more in the mood to take your security to the extreme, check out this Four Factor Biometric Lockbox that includes its own fingerprint reader.

Continue reading “Standalone Touch ID For Your Desktop Mac”

The Spit-Detecting USB Flash Drive Is Nearly Here

December 25, 2022 by 17 Comments

Regular readers may recall that security researcher and general open source hardware fanatic [Walker] has been planning a rather unusual flash drive for some time — one that will only show its contents if the user makes sure to lick their fingers before plugging it in. We’re pleased to report that theory has recently given way to real hardware, and the Ovrdrive “self-destructing” flash drive is now a step closer to reality.

The last time we checked in with [Walker], he hadn’t yet put any hardware together, though he was fairly sure what components he would need and how it would all go together. This was assisted somewhat by the fact that USB flash drives are such a ubiquitous piece of tech, making their principle parts plentiful and fairly well documented. As explained in the video below, all you really need to spin up your own flash drive is the USB connector, the controller chip, and a nice slab of flash memory for it to access. Though naturally you’re on your own for spit detection.

The build video has some gorgeous camera work.

What we especially like about this project is that [Walker] is releasing the whole thing as open source hardware. So even if you’re not interested in the whole lick-for-access feature, you’ve still got a boilerplate flash drive design to build on. We haven’t seen a lot of DIY projects tackle USB Mass Storage previously, and perhaps this design can change that.

But of course, only if the thing works. According to the video after the break, [Walker] seems to have hit a snag with this revision of the hardware. While it enumerates as a storage device when plugged into the computer, the operating system claims its capacity is zero. He thinks there might be a swapped trace between the controller and flash chip to blame, so hopefully he can get things sorted out before too long. We’ve been covering this project since the summer, and are eager to see it cross the finish line.

Continue reading “The Spit-Detecting USB Flash Drive Is Nearly Here”

This Week In Security: GitHub Actions, SHA-1 Retirement, And A Self-Worming Vulnerability

December 23, 2022 by 6 Comments

It should be no surprise that running untrusted code in a GitHub Actions workflow can have unintended consequences. It’s a killer feature, to automatically run through a code test suite whenever a pull request is opened. But that pull request is run in some part of the target’s development environment, and there’s been a few clever attacks found over the years that take advantage of that. There’s now another one, what Legit Security calls Github Environment Injection, and there were some big-name organizations vulnerable to it.

The crux of the issue is the $GITHUB_ENV file, which contains environment variables to be set in the Actions environment. Individual variables get added to this file as part of the automated action, and that process needs to include some sanitization of data. Otherwise, an attacker can send an environment variable that includes a newline and completely unintended environment variable. And an unintended, arbitrary environment variable is game over for the security of the workflow. The example uses the NODE_OPTIONS variable to dump the entire environment to an accessible output. Any API keys or other secrets are revealed.

This particular attack was reported to GitHub, but there isn’t a practical way to fix it architecturally. So it’s up to individual projects to be very careful about writing untrusted data into the $GITHUB_ENV file.

Continue reading “This Week In Security: GitHub Actions, SHA-1 Retirement, And A Self-Worming Vulnerability”